In a significant move, the Court of Justice of the European Union (CJEU) has ruled that the Data Retention Directive 2006/24/EC (Directive) is invalid. This decision is expected to have wide-reaching implications for privacy laws across the European Union.
On 8 April 2014, the CJEU held that the requirement imposed on internet service providers (ISP) and telecom companies to retain data for up to two years “entails a wide-ranging and particularly serious interference with [the] fundamental rights [to respect for private life and communications and to the protection of personal data] in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”
The Directive is a product of heightened security concerns in the aftermath of terrorist attacks around the world. It facilitated almost unqualified access by national authorities to the data collected by communications providers for the purpose of organised crime and terrorism prevention, investigation detection and prosecution. To enable this access, obligations were imposed on communications providers to retain certain data for between six months and two years.
Specifically, communications providers were required to retain traffic and location data as well as data necessary to identify users. It did not, however, permit the retention of communication content or of the information consulted by the user.
The CJEU found that the retained data revealed a phenomenal amount of information about individuals and their private lives. The data enabled the identification of persons with whom the user has communicated and by what means; the time and place of communication; and the frequency of communications with certain persons during a given period. From this data, a very clear picture could be formed of the private lives of users, including their daily habits, permanent or temporary places of residence, daily or other movement, activities carried out, social relationships and the social environments frequented.
The CJEU accepted the retention of data for use by national authorities for the legitimate objective of national security, however opined that the Directive went further than necessary to fulfil those objectives violating the proportionality principle.
It delineated five main concerns:
- Generality – The Directive applies to all individuals and electronic communications without exception.
- No Objective Criteria – The Directive did not stipulate any objective criteria and procedures with which national authorities should comply in order to access the data.
- No Proportionality of Retention Period – The minimum retention period of six months failed to provide for categories of data to be distinguished or for the possible utility of the data vis-à-vis the objectives pursued. Further, the Directive did not provide any objective criteria by which to determine the data retention period which would be strictly necessary according to the circumstances.
- Insufficient Safeguards – The Directive fails to provide sufficient safeguards against abuse and unlawful access and use of the data.
- Data may leave the EU – There is no requirement to retain the data in the EU to ensure compliance with data protection law.
The declaration of invalidity takes effect from the date of the Directive’s entry into force, i.e. 3 May 2006.
Communications providers are likely to experience a period of uncertainty about their ongoing obligations, especially in relation to data they currently hold, until the Commission clarifies the scope of their new obligations and whether it intends to amend the Directive or repeal it. EU Member States are also under an obligation to review their domestic laws to ensure compliance with the judgment and, where necessary, redraft these.
As with most European legislation, any legislative changes must be passed back and forth between the various European institutions in order to become law, a process which usually takes years. Bearing in mind that the current Commission’s term will end in October 2014, it is highly unlikely that it will commence any legislative procedures within the coming months. In the interim, the Commission shall assess the ruling and its impacts and hopefully respond with some practical guidance.